CVE-2023-25576

Name: CVE-2023-25576
Creator: NVD / NIST
Published: 2023-02-14T16:15:11.277+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.46%

Last modified Jun 17, 2026

CVE-2023-25576 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. @fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. EPSS estimates a 1.46% chance of exploitation in the next 30 days.

Description

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.46%

70.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Fastify	Fastify-Multipart	< 6.0.1
Fastify	Fastify-Multipart	>= 7.0.0, < 7.4.1

References

https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297Patch, Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1Release Notes, Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1Release Notes, Third Party Advisory
https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6gThird Party Advisory
https://hackerone.com/reports/1816195Permissions Required, Third Party Advisory
https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297Patch, Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1Release Notes, Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1Release Notes, Third Party Advisory
https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6gThird Party Advisory
https://hackerone.com/reports/1816195Permissions Required, Third Party Advisory

Timeline

Published: Feb 14, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-25576?

How severe is CVE-2023-25576?

CVE-2023-25576 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.46% probability of exploitation in the next 30 days.

How do I fix CVE-2023-25576?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-25576?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST